cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
5
Helpful
2
Replies

ASA IOS version 9.4 Destination NAT, assistance required

soumbis12
Level 1
Level 1

Hi All,

 

Presently, we are in a phase to migrate the whole Security devices from Juniper to ASA. the ASA version running on the device is: 9.4.

Below is the nat configuration of the Juniper box.
 

static {

    rule-set All-ATMs-to-Radia {

        from zone VPN-VSAT-Branches;

        rule All-ATMs-to-Radia {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

    rule-set static-801-to-196 {

        from interface reth0.801;

        rule static-801-to-196 {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

    rule-set static-412-to-196 {

        from interface reth0.412;

        rule static-412-to-196 {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

    rule-set static-511-to-196 {

        from interface reth0.511;

        rule static-511-to-196 {

            match {

                destination-address 10.34.185.70/32;

            }

            then {

                static-nat {

                    prefix {

                        10.34.196.47/32;

                    }

                }

            }

        }

    }

}

 

Now, Zone mapping between Juniper and ASA is :

Zone: VPN-VSAT-Branches (Juniper) -- > Interface: VPN-Branches (CISCO)

Interface reth0.412 (Juniper) -- > interface TPX-VPN (CISCO)

Interface reth0.511 (Juniper)  --> Interface OUTSIDE (CISCO)

Real Destination IP: 10.34.185.70/32 ( Belongs to VLAN 513)

Mapped Destination IP: 10.34.196.47/32 (Belongs to VLAN 512)

 

Need help to get the configuration systax for ASA 9.4 so that we can achieved the same in ASA.

Warm Regards,

Soumik

 

 

2 Replies 2

Dinesh Moudgil
Cisco Employee
Cisco Employee

Hi Soumik,

Here is a tool to convert Juniper ScreenOS configurations to Cisco ASA configs:-
https://fwmig.cisco.com/

HTH

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hi Dinesh, 

Thanks for the response. I have converted the config using tool only.But for this NAT rule , It is converted wrongly using the tool.

 

it is converted as 

nat (any,any) source static any any destination static 10.34.185.70 10.34.185.70

As per the Juniper configuration, this is not the case against the Natting

 

Hence please need the help to achieve the exact NAT config of Juniper .
Thanks in advance.

Rgrds,
Soumik

Review Cisco Networking for a $25 gift card